Drupal has patched a High risk Guzzle third-party library vulnerability (CVE-2022-29248) that affects multiple versions of Drupal Core.
A remote attacker could exploit this vulnerability to compromise an affected system.
The Guzzle library is used for handling HTTP requests and responses to external services.
“We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerability, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as high-risk,” Drupal stated in the advisory.
The issue is fixed in Drupal 9.3.14 (using Drupal 9.3) and Drupal 9.2.20 (using Drupal 9.2).